quasar | 33309db8c10091283aec28c59f055b58562e7780767ddf0feb39ac67c3d787de | Triage

Submit
Reports

Overview

overview

Static

static

1

7a6db8aecc...d7.exe

windows7-x64

7a6db8aecc...d7.exe

windows10-2004-x64

Sharing

General

Target

7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7.zip
Size

1.3MB
Sample

230321-qnrpgsad68
MD5

54f4f1e98f07fc182d5ce66e16d6b37b
SHA1

de81237247a5126b7b15d09bc4e99d58bddf8a8a
SHA256

33309db8c10091283aec28c59f055b58562e7780767ddf0feb39ac67c3d787de
SHA512

810770f1ebca06ce746cb054f4789b5c4d4bad16e60da77aead27b935aeeb2dee45bb648de2b69ad2f224ed442bb2f4581c51cfd4f790c9aca5b0833d36ed5ed
SSDEEP

24576:fsbZ/I8ymAalXfNNIJuilyiQtMsNd0SV5C5yWR0QxRyjWmbai2ERVa:fWZrymTNKJQvMsNLZDjFai2ER8

Score

10^/10

quasar success persistence spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7.exe

Resource

win7-20230220-en

quasar success persistence spyware trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7.exe

Resource

win10v2004-20230220-en

quasar success persistence spyware trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

SUCCESS

C2

41.185.97.216:4782

Mutex

MUTEX_QAxMFzrXWG2cbIHPGK

Attributes

encryption_key
4DwUV8AnxPgmXSMeThKb
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
cmd
subdirectory
SubDir

Targets

- Target
  
  7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7.exe
- Size
  
  2.9MB
- MD5
  
  68a23c2fc62bddad0a2c6cf36003577b
- SHA1
  
  67a19bf734520933adfa28afc017c3af1d6a3d5b
- SHA256
  
  7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7
- SHA512
  
  0386671ee83c0825f80a0c95b4e21eb23054878546aff5d8ef63a3bcc6a32c53a61397009aee8e8c5fc171b1ed0e9b69a31111eb1b860e1ff67264fcac806cef
- SSDEEP
  
  24576:plubLwtFDS7FYNYD7264xnRhc/LSXxH227hqRCeFcOziFJLUfdKTgWA22222222:gZ7h4xnRhcGXxHxOqdq1pup
Score

10^/10

quasar success persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarsuccesspersistencespywaretrojan

behavioral2

quasarsuccesspersistencespywaretrojan

© 2018-2024

Terms | Privacy